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Key Points - Sandworm Campaign Hbightpartisiers 


■ Cyber Espionage Campaign attributed to Russia 

- Targeting includes 

• NATO • European Union 

• Ukraine • European Telecommunications 

• Poland • Energy Sector 

- Attribution to one of 5 active Russian intrusion teams monitored by iSIGHT Partners 

- "Sandworm Team" 

■ Named for its affinity for/coded references to science fiction series Dune 

■ Campaign partially detailed by researchers at F-Secure and ESET - captured only a small 
component of targeting and missed critical elements 

■ Utilizing Zero-day flaw in Microsoft Windows (CVE-2014-4114) 

- Spear-phishing campaign using weaponized Microsoft Office documents 

■ Visibility into multiple PowerPoint lures 

- Impacts ^/versions of Windows from Vista to 8.1 

■ Windows Server 2008,2012 

■ Flaw has existed for years 

- Zero-day nature of vulnerability leads to conclusion that intrusion 
efforts were highly effective 

- Close collaboration between iSIGHT Partners and Microsoft - patch is being released on 
Tuesday, October 14 th 



Windows Vista - 



Windows 




Windows 8 
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Sandworm Campaign - Timeline of Events K iSlGHTPARTlMERS 


Monitoring Sandworm Team from late 2013 and throughout 2014 

- Genesis of team dates to as early as 2009 

- Increased activity throughout 2014 

Visibility into this specific campaign began in December of 2013 

- NATO alliance targeted as early as December 2013 

- GlobeSec attendees targeted in May 2014 

- June 2014 

■ Western European government agency 

■ Polish energy firm targeted using CVE-2013-3906 

■ BlackEnergy variant configured with Base64-encoded reference to French telecommunications firm 

- Zero-day artifacts captured late August/early September (CVE-2014-4114) 

■ Spear-phishing email and exploit targeting Ukranian government 

■ Coinciding with NATO summit on Ukraine in Wales 

■ At least one US organization fell victim - think tank/academia 


iSIGHT Partners labs team discovered use of zero-day vulnerability on September 3, 2014 
Immediately notified targeted parties, clients across multiple government and private sector domains 

Began working with Microsoft on September 5, 2014 

- Provided technical analysis of vulnerability and the malware used to exploit it 

- Coordinated tracking of campaign 

■ Monitoring for broader targeting and victimization 

■ Monitoring for broader use of zero-day exploit in the wild 


Purposely timing disclosure to coincide with the release of the patch 

- Minimizes potential for copy-cat exploit creation 

- Limits exposure to a broad reaching, severe vulnerability 
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Sandworm Campaign - Timeline of Events K iSlGHTPARTlMERS 


2009 


2013 2014 



Genesis of Sand 
Worm Team dates to 

as early as 2009 





Late 2013 and 
throughout 2014 

Monitoring of Sand 
Worm Team 
• Traced to 2009 
• Increased activity 
throughout 2014 



IIPK 


(rl 
1 1 


May 2014 

GlobeSec 

attendees 

targeted 

June 2014 

• Western European government agency 

• Polish energy firm targeted (CVE-2013-3906) 

• BlackEnergy variant w/Base64-encoded 
reference to French telecomm firm 

* 



Purposely timed disclosure to 
coincide w/MSFT patch release 

• Minimizes potential for copy-cat 
exploit creation 

• Limits exposure to a broad 
reaching, severe vulnerability 



Timeline 




September 2014 

• Zero-day artifacts captured (CVE-2014-4114) 

• Spear-phishing email/exploit targeting Ukrainian government 

• Coinciding with NATO summit on Ukraine in Wales 

• At least one US org fell victim (think tank/academia 


Septembers, 2014 

• iSIGHT Partners labs discovers 
zero-day vulnerability 

• Immediately notified targeted parties 
and clients across government and 
private sector domains 


Septembers, 2014 

• Began working with Microsoft 

• Provided technical analysis of vulnerability and malware used in exploit 

• Coordinated tracking of campaign 

- Monitoring for broader targeting and victimization 

- Monitoring for broader use of zero-day exploit in the wild 
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Sand worm Campaign - Visible Targets 


3 iSIGHTPARTWERS 



—V. 




Government Academic 


NATO 


Energy Telecom 

mm 


Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 


5 


























































Sandworm Campaign - 


KflGOBSEC2Q14 

M it. may | Bratislava 

‘ i Liamm; fcwKH fwacYAHOiccflinilcwiiM IvCmui Iwn 

As has become a manuin, GL-OBSEC will sjaia uy io push higher and further with die 3(14 
edition of wtet has bee erne M teflBt secuniy Bid policy foram in Central Europe 

The ninth annual GLOBSEC Forum, scheduled l o ulce place between 14-16 htvy m BtttaLivf). 
Slovakia, mil explore, among other foreign policy and secunly issuer, changes n the 21* 
century power balance, ability and poklicaL wall of NATO member slate; la intervene and the 
consequences of the latest spying allegations 

GLOB5EC has grown into what US veteran analyst Tkigakvi Eiminxki called a "global 
annually attracting oven S00 participants from more than 60 countries 

CUJBSEC 2014 will feature the highest mmisleriat presence of any Central European 
conference Among ihe confirmed guests are Slovak Prime Minister Robert Fioo, his Hungarian 
counterpart Vaeicr Orbdn, along with foreign ministers of Slovakia, Hungary and Sweden On a 
nOn-gdvernmeniat level, Liam fbii, former British De/fiith Secreiary, UN Special 
Representative for Afghanistan Jan KubiS, and Michael Chertoflf, fomr.tr US Secretary of 
Homeland Security are scheduled lo participate 

Spear-phishing attachment 
GlobeSec Forum on Russia 


Diplomatic Fallout: Europe's Struggle for Strategic Competitiveness 

The European I'tson, most ohm preocogned with tu eecooim: peoblesu over ibe put few yeas, 
gripped with two strategy challenges las week The first involved a tagofwr wish Russia over 
Ukraine The sec cod centered on Geneva, where the union's foieign policy chief, Catherine .Ashton, 
chaiied ulks on Iran's nuclear program The El' appeared lo fail the ftra lea, as lYnatataet Presides! 
Viktor Yanukovych aepped hack from approving an association agreement with the bloc under pressure 
from Moscow By coaaast. the Geneva negotiations culminated in seeming success, as Tehran agreed to 
tempcranly curtail its uranium enrichment in exchange foe mild sanctions relief utule talks foe a 
ccmpreheuBve deal continue U S Secretary of State John Kerry lauded Ashton * "tiewaidship' of the 
process 

The two episodes offered something that European foreign policy' debates often lack excitement 
Discussions of Brussels and the world frequently oscillate between grand statements of principles and 
tasiMioeul minutiae Yet the stakes in Ukraine and Iran are real and significant Ukraine has become a 
trial of the El's ability to manage its unrulv neighborhood and stop Russia from reasserting control over 
former Soviet states Iran has tested Europe's ambitions to project diplomatic clout a the wider world 

The EU has long aspired to be both a regional and global power The union s leaders articulated these 
goals in the first—and so fir only—European: Security Strategy a 2003 Developed by Ashton s 
predecessor, iavtet SoCana. to mitigate die damage done to European unity by the Iraq crisis, the strategy 
pricertwed building security a our neighborhood and 'an international order based on effective 
naaltlaterahsm" The document will reach its 10th bsthday this December Is it still fit for purpose' 

At the reticra! level, the El’ faced a Remising picture 10 vears ago It was on the verge of a maior 

Diplomacy spear-phishing 
attachment 
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A tecear Wood Mackenzie repoet predicts that shale gas wafl account for 30% of the US 
martens by 2020 Other industry experts such as T Boone Pickens, are more optimistic and predict 
thai shale gas will account for over 50** of the US marttet Eves u she low estimate of 30**, shale 
gas will have a major impact on the industry and the geopolitics of gas The new reality is that the 
cooventicoal exporters of natural gas, the Middle East and Russia are receiving less fee their gas 
and are losing marker share Shale prefects have contributed to a drop in U S gas prices from $ 13 69 
per million British theimal units in 2008 lo an average of about 84 00 in 2010 
Garpeom has delayed developing the massive Shtokman Arctic gas field until 2016, laagcty because 
of the low natural gas price and the surge in US Supply, which has lowered US demand for foreign 
gas 


EIA Energy Mu to 2035 


Energy spear-phishing 
attachment, specifically 
crafted for Polish audience 



Zero-day spear-phishing 
attachment, purported list of 
Russian sympathizers/ 
"terrorist" actors 
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Sdndworm Campaign - Attribution 
Russian Cyber Espionage 


iSIGHTPARTMERS 


Marked increase in cyber espionage activities linked to Russia 

- Russia is increasing its cyber-espionage focus and the volume is up in 
2014 

- iSIGHT recently detailed activities of Tsar Team 

■ Mobile malware targeting multiple platforms 

- Android, Windows, IOS 

■ Targets include 

- Foreign militaries 

- Defense contractors 

- Ministries of foreign affairs 

- News organizations 

- NGOs and multilaterals 

- Jihadists 

Sandworm is one of 5 active cyber intrusion teams linked to Russia 
being monitored by iSIGHT Partners 

- Activities date back as far as 2009 

- Identified through overlapping infrastructure, use of traditional 
crimeware, unique references to Dune 

- Team has an affinity for using traditional cyber crime tools as a 
component of its activities 

■ BlackEnergy malware 

- Used at least 2 versions of BlackEnergy 

» BlackEnergy 2 - traditional crimeware 

» BlackEnergy 3 (Lite) 

• No documented use in crime - may have been 
purpose built for Sandworm 

- Samples tied on basis of configuration to same combination of internal 
proxies 

• Up to 7 proxies in common 


Tom ■ yrTpoMcne O HMceTMcny Data 
CcpHMHWH HOMCP TOM a 349 0 02 F2 

C(«cp HUM OCIJIIM 

d \Work\b n\?0100401\w 1000401 

2 3 05 2013 14:44 <DIR>. 

2 3 05 2013 14:44 <DIR>„ 


Text Files with Directory of User 


CMMTai cmc lOMMa^: 

rocec [URL] • lapyiia m jaayci ynaAoiMoro (^ohujio 



iSIGHT Partners believes 
Sandworm Team has Russian 
origins based on several 

B m 

Files retrieved from an open directory on 
a command and control server included 
a directory listing in Russian and a help 
file for the BlackEnergy Trojan also 
written in Russian 


AHHOI 





Social engineering is designed to appeal to 
personnel involved in military and intelligence 
operations against Russia such as a list of pro- 
Russian "terrorists" sent in an email. 


BlackEnergy source code was released 
through Russian e-crime channels. 


List of Purported 

pro-Russian 

“Terrorists” 


Known targeting is consistent with 
antagonists to NATO as well as Ukrainian 
and European Union governments. 
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Cyber Espionage,Cyber Crime and Hacktivism... 

Blurring of Lines in Russia 


3 iSIGHTPARTMERS 


Growing trend of blurred lines across cyber threat domains 

- Not just in Russia but more pronounced here recently 

Russian overlap 

- Links between criminal activity and cyber espionage activity is not uncommon 

■ Tools 

■ Talent 

- Some examples... 

■ Zeus used in massive espionage campaign against US Government in 2008 
and again in 2012 

■ Pro-Russian hacktivism used BlackEnergy in the past during Georgian 
conflict 

■ Russians allegedly contracted a cyber crime actor in Georbot campaign 
against Georgia 

- Attributed to Eshkinkot - Russian national named Vladimir A. 
Lenskij 

- Georgie CERT claimed to have captured e-mail messages and docs 
from Russian handlers 

» Instructing on how to use malware to record audio 

» Capture screen shots 
» Exfiltrate data 

■ TEMP.Noble (another Russian intrusion actor monitored by iSIGHT) 

- Sensitive source indicates that malware components were developed through for 
hire cyber crime forum 

- BlackEnergy 

■ Criminal actors 

■ Sandworm Team 
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Details - Microsoft Windows Zero Day 

CVE - 2014 - 4114 


iSIGHTPARTNERS 


Affects all supported versions of Microsoft 
Windows 

- Windows Vista x64 Service Pack 2 

- Windows Vista Service Pack 2 

- Windows Server 2008 R2 x6 Service pack 1 

- Windows Server 2008 Services Pack 2 

- Windows Sever 2008 x64 Service Pack 2 

- Windows Server 2012 

- Windows Server 2012 R2 

- Windows 7 Service pack 1 

- Windows 7 x64 Service Pack 1 

- Windows 8x64 

- Windows 8 

- Windows 8.1 x64 

- Windows 8.1 

- Windows RT 

- Windows RT 8.1 

Does not appear to affect Windows XP 


Exposed, dangerous method 
vulnerability 

- OLE package manager in Microsoft Windows and 
Server 

- Vulnerability allows an attacker to remotely execute 
arbitrary code 

- Windows allows OLE packager (packager .dll) to 
download and execute INF files 

- In case of observed exploit, specifically when 
handling Microsoft PowerPoint files: 

■ Packager allows a Package OLE object to reference 
arbitrary external files (such as INF) from untrusted 
sources 

■ Causes referenced files to be downloaded and 
executed with specific commands 

■ Attacker can exploit to execute arbitrary code 

■ Needs specifically crafted file and social engineering 
methods to convince user to open 
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Collaboration with Microsoft 


3 iSIGHTPARTNERS 


f 

fc 


iSIGHT Partners follows Responsible disclosure procedures 

- Targeted entities 

- Government and Law Enforcement 

- Impacted Software vendor(s) 

■ Microsoft 

Disclosed identification of zero-day 2 days after analysis 

- Began immediate collaboration with Microsoft 

■ Supporting development of a patch 

■ Tracking utilization of the vulnerability in the wild 

Timed disclosure to minimize the potential for broader 
victimization 

- Patch ready for release Tuesday, October 14 th 

- "Break in case of emergency" plan in place for past 5 weeks 

■ Trigger: Broader propagation of malware targeting vulnerability 

■ Trigger: Evidence of broader victimization 
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Workarounds - Microsoft Windows Zero Day 
CVE-2014-4114 


3 iSIGHTPARTNERS 


■ Disable the WebClient Service 

- Impact 

■ Web Disributed Authoring and Versioning (WebDAV) requests are not 
transmitted 

■ Any service depending on Web Client service will not start 

■ BlockTCP ports 139 and 445 

- Impact 

■ Ports 139 and 445 are used for additional services including Common Internet 
File System (CIFS), DNS Administration, NetBT service sessions, printer sharing 
sessions and more 

■ Disabling could affect functionality of those services 

■ Block launching of Executables via Setup Information Files 

- Impact 

■ Applications that rely on the use of .INF file to execute an installer application 
may not automatically execute 
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